Members
  • Total Members: 12818
  • Latest: martin
Stats
  • Total Posts: 28534
  • Total Topics: 8240
  • Online Today: 1027
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Microsoft Says Rootkit Caused Windows Blue Screens (Alureon, TDSS, Tidserv TDL3)  (Read 10579 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Microsoft late on Wednesday confirmed that a rootkit caused Windows PCs to crash after users applied a security patch issued last week.

Only systems infected with the Alureon rootkit: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A were incapacitated with Blue Screen of Death (BSOD) errors that prevented booting, said Mike Reavey, the director of the Microsoft Security Response Center (MSRC), in an announcement on the center's blog. "Our investigation has concluded that the reboot occurs because the system is infected with malware," said Reavey: http://blogs.technet.com/msrc/archive/2010/02/17/update-restart-issues-after-installing-ms10-015-and-the-alureon-rootkit.aspx

He added that the MS10-015 update was not at fault. "We have not found quality issues with security update MS10-015," Reavey maintained.

Microsoft 's conclusion that malware was to blame was not unexpected. Last week, the rootkit -- also called TDSS, Tidserv and TDL3 -- had been named by security researchers as the likely culprit .

Within hours of the Jan. 9 release of MS10-015 and 12 other security updates, users reported that their computers wouldn't restart. Two days later, Microsoft halted automatic distribution of MS10-015 and launched an investigation, which revealed that malware might be the cause .

Yesterday, Reavey echoed independent researchers who earlier had blamed an address conflict between MS10-015 and the rootkit for the debacle. "Malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address," explained Reavey. "MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function."

MS10-015 patched a 17-year-old bug in the kernel of all 32-bit versions of Windows.

Reavey acknowledged that Microsoft's patch quality control did not catch the conflict because it's difficult to create malware interaction tests. "These types of infections often leave the machine in such an unstable state that it cannot be reliably tested," said Reavey. He also confirmed that all 32-bit versions of Windows were susceptible to Alureon-caused crashes, including Windows 7 , even though the bulk of complaints came from users running Windows XP.

That shouldn't be a surprise: XP is the dominant operating system worldwide.

Although several security firms have published instructions and tools for users trapped with a BSOD, Microsoft hasn't issued any advice for those already affected. Reavey's recommendation was brutal: "If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk," he said.

He did not explain how users were to regain control of their non-booting PCs, however.

Kaspersky Lab offers a less extreme workaround: a free utility that seeks out and destroys the rootkit ( download .zip file for Windows PCs: http://support.kaspersky.com/downloads/utils/tdsskiller.zip ).
Symantec, meanwhile, has urged users to replace rootkit-infected drivers with clean copies: http://www.symantec.com/connect/blogs/tidserv-and-ms10-015

Microsoft will provide a way for users to detect and remove the Alureon rootkit from infected PCs, but Reavey said it would be "a few weeks" before it is ready. In the past, Microsoft has used its Malicious Software Removal Tool (MSRT), a free program updated each Patch Tuesday, to seek out and destroy rootkits. The next scheduled refresh of the MSRT is March 9, nearly three weeks away.

Because the rootkit only infects machines running 32-bit Windows, Microsoft has lifted the Automatic Updates embargo on MS10-015 for 64-bit systems.

(PCW)

Samker's Computer Forum - SCforum.info





jake2pointzero

  • SCF Member
  • **
  • Posts: 53
  • KARMA: 6
Can a updated MCAfee Viruscan Enterprise 8.5i detect Alureon, TDSS, Tidserv and TDL3?

jake2pointzero

  • SCF Member
  • **
  • Posts: 53
  • KARMA: 6
Samker,

Can Microsoft Windows Malicious Software Removal Tool latest version detects TDSS, Tidserv and TDL3?

I updated my Windows XP Pro wthout the kb977165, and the Microsoft Windows Malicious Software Removal Tool latest version didnot detect Alureon and TDSS, Tidserv and TDL3. But when i run the Kaspersky Lab free utility which is suggested above article, it detected and clean TDSS rootkit. It seems MSRT did not detect TDSS, i'm wondering if my system is still infected with Alureon. Is there any free cleaning utility like Kaspersky that would detect and clean the Alureon.

help.

jake

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
remove, fix, clean, delete, Alureon, TDSS, Tidserv, TDL3
« Reply #3 on: 19. February 2010., 19:13:21 »
Hi Jake, don't worry We'll resolve this quickly. ;)

Because of other SCF Visitors which maybe have similar problem is't possible to you open new thread in SCF "PC Help Center":  http://scforum.info/index.php?action=forum


Download, Install and Run Full Scan with SUPERANtiSpyware: http://scforum.info/index.php/topic,116.0.html

After that don't forget to provide us logs from HJT and Windows Live OneCare:
http://scforum.info/index.php/topic,734.0.html


P.S.

If We have "lucky" MSRT will detect this after next Patch Tuesday  :thumbsdown: : http://en.wikipedia.org/wiki/Patch_Tuesday


rkprd

  • SCF Member
  • **
  • Posts: 11
  • KARMA: 3
how can i remove the alureon rootkit (Alureon, TDSS, Tidserv, TDL3)
« Reply #4 on: 22. February 2010., 02:42:14 »
hello i found this page while searching on google for a way to fix this error my question is how can i remove the alureon rootkit if i cant go into windows to access my antivirus program ? is there a antivirus program that i can burn on cd and boot from? if someone can help  i would greatly appreciate it thanks

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: how can i remove the alureon rootkit (Alureon, TDSS, Tidserv, TDL3)
« Reply #5 on: 22. February 2010., 05:52:02 »
hello i found this page while searching on google for a way to fix this error my question is how can i remove the alureon rootkit if i cant go into windows to access my antivirus program ? is there a antivirus program that i can burn on cd and boot from? if someone can help  i would greatly appreciate it thanks

Hi R.,

don't worry We'll help you to remove this rootkit (just like Jake).

Please open your own Topic at SCF "PC Help Center": http://scforum.info/index.php?action=forum

... with included all possible information related to this problem/infection and logs from HijackThis, BitDefender and Live OneCare: http://scforum.info/index.php/topic,734.0.html

Best Regards,

S.


rkprd

  • SCF Member
  • **
  • Posts: 11
  • KARMA: 3
all done samker thanks

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising